Risk-based security? Hogwash!

Nothing gets my goat as badly as “risk-based security” talk that is suffocating discussions lately. It is so pervasive and so obnoxiously delivered that you end up wondering if the authors of the term even know how poorly they understand information security, risk management, and the organisation they support. Dunning-Kruger effect in action if there ever was one. Decisions, decisions To explain what I mean, let’s look at it from top down: 1. Everything starts with objectives. The things you want to achieve, stuff you want to do.

On risks and issues

“Issues are risks that have already occurred” is the standard view of the difference between what is popularly called “risk” and “issue”. But, that’s a superficial difference that does not take into account a major attribute of “risk”: objectives. I had a recent discussion with a risk professional that went something like this: Me: “I need to add ‘X’ to the risk register. It’s a month until and the ‘X’ is nonexistent.” RM: “Wait, it’s not done? We don’t have it?

Transitive trust and risk

”… and of course we have set transitive trust between different sources of identity” said he with a glee. That’s when I knew for certain I was not speaking with someone that has had a long and successful track record of setting up identity management in an enterprise environment. Information security practitioners will often roll out the old and tired “transitive trust is bad” adage. Unfortunately the line is parroted too often without understanding why transitive trust is bad. ###Trust and related terms###

Sony Pictures and risk management

Sony Pictures information security team, small as it is, is in the crosshairs of all and sundry after the recent breach of significant proportions. As is typical for information security, once a victim is found the ritual and merciless victim bashing can begin. What most of these pieces forget is that the issues highlighted for Sony Pictures are present if not prevalent in majority of large organisations. ###Kick them when they’re down This scenario plays out time and again: A large organisation is in the news for industry average information security practices.

Recommended books for (budding) risk professionals

Risk related books are a dime a dozen nowadays. Many are rehashing the stuff that was new and hot a couple of decades ago, fewer are keeping up with the industry maturation and even fewer are applying the academic learnings to the industry. Here’s a short list of a few books that I’ve read in the past and re-read now, either for reference, for new appreciation of the depths that I missed before, or to see if they’re still current.

The value of risk management to the organisation

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can’t seem to make a difference in the perception of what they do for the organisation. [T]o create a more effective relationship between the risk function and the board, risk managers must stand up and show their bosses that they are not mere insurance buyers, as some senior leaders perceive them to be.

Thinking about thinking: risk analysis edition

I’m catching up on my reading and one of the books I’m often going to for quick references is Charles Yoe’s “Principles of Risk Analysis”. There is a great chapter in Morgan D. Jones’s (1998) book The Thinker’s Toolkit. It is called “Thinking about Thinking,” and its primary thesis is that the human mind is not analytical by nature. He explores the fallibility of human reasoning and suggests that the best remedy for the mind’s ineffectiveness is to impose some structure on the way we think.

eBay shows what not to do in a customer data breach

TL;DR: eBay’s security was breached in late February, early March. Customer personal information was stolen. The breach was discovered two months later. The details of the breach are scarce, but eBay has divulged that the attackers only needed simple username and password to breach eBay’s security. Using just username and password to access customer personal information is bad. Storing customer personal information in plain text is a major no-no for any organisation that manages customer personal information. It is even a bigger no-no when the business model is based on trust.

Not everyone is WEIRD

If you are told that you are WEIRD don’t take it as an offence. It likely means that you belong to about 12% of the global population that is Western, Educated, Industrialised, Rich, and Democratic *. Good as it may sound, it also puts you in the disadvantage when dealing with people from different cultural backgrounds. Problem reliance on studies that were done solely with WEIRD participants is that it skews the results and, worst of all, assumes certain cultural background in the decision makers:

Smart CISOs know when not to pay attention to the "wisdom of the crowds"

If Apple followed the ‘wisdom of the crowds’ in 2006-2007 they’d never made an iPhone. If smart CISOs paid too much attention to the article in the Information Risk Leadership Council’s latest article they’d be in as much trouble as they purportedly are right now. There is a lot wrong with CISOs that put all their hope and budget in prevention, but the word itself is definitely not the problem. Nor is the solution that CEB IRLC (Executive Board’s Information Risk Leadership Council) advocated - although they just followed the lead by NIST.